WebApp Sec mailing list archives

Re: PHP session management

From: Matt Rohrer <matt () prognostikos com>
Date: Sun, 26 Oct 2003 13:37:31 +0100

On Sat, Oct 25, 2003 at 06:51:13PM -0400, Gavin Zuchlinski wrote:

Hi,
I noticed on a server how PHP creates files in /tmp in the form sess_XXXXXXXXX 
to store session information (of course only readable by the apache user), 
but "XXXXXXXXX" is the actual session ID. If a person has a local access to a 
system using PHP's session management, aren't they able to hijack any 
session? Am I a complete moron and am missing something?


No, you're not missing anything. There's a warning about this in
the manual
http://ww.php.net/manual/en/ref.session.php#ini.session.save-path
along with notes on how to configure PHP to avoid this problem.

In general, the default configuration for session handling does not
favor security. I would look at the page referenced above for
configuration options that can be changed in the interest of security.
I'm not aware of a canonical document describing a secure configuration
for using PHP sessions, though perhaps others on the list can point
you in the right direction.

Current thread:

PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Matt Rohrer (Oct 26)
- Re: PHP session management Tommy Gildseth (Oct 26)
  - Re: PHP session management Gavin Zuchlinski (Oct 26)
    - Re: PHP session management Hokkaido (Oct 27)
  - Re: PHP session management Gavin Zuchlinski (Oct 27)
- Re: PHP session management Boris Penck (Oct 27)
  - Re: PHP session management weigelt (Oct 28)
    - Re: PHP session management Ivan Ristic (Oct 28)
- <Possible follow-ups>
- RE: PHP session management Tyler Larson (Oct 27)